U.S. patent application number 13/246930 was filed with the patent office on 2013-03-28 for creating and maintaining a security policy.
This patent application is currently assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION. The applicant listed for this patent is Daniel J. Beauvais, Lawrence C. Ross, JR., Aria Zandi. Invention is credited to Daniel J. Beauvais, Lawrence C. Ross, JR., Aria Zandi.
Application Number | 20130081102 13/246930 |
Document ID | / |
Family ID | 47912751 |
Filed Date | 2013-03-28 |
United States Patent
Application |
20130081102 |
Kind Code |
A1 |
Beauvais; Daniel J. ; et
al. |
March 28, 2013 |
CREATING AND MAINTAINING A SECURITY POLICY
Abstract
An approach for managing a security policy is provided. First,
second, and third specification sets are received after being
independently generated by different practitioners. The first
specification set maps service-to-service communications. The
second specification set maps the services to devices on which the
services are placed. The third specification set maps the devices
to one or more network addresses. The received specification sets
are algorithmically combined to create packet filtering rule
statements. The security policy is generated as packet filtering
rules based on the combined specification sets and the packet
filtering rule statements. An application deployment modification
includes independently editing specification set(s) that are
affected by the modification, without knowledge of specification
set(s) that are unaffected by the modification. An updated security
policy may be generated by an incremental update to an existing
security policy without requiring replacement of the entire
security policy.
Inventors: |
Beauvais; Daniel J.; (Kitty
Hawk, NC) ; Ross, JR.; Lawrence C.; (Greensboro,
NC) ; Zandi; Aria; (New Carlisle, IN) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Beauvais; Daniel J.
Ross, JR.; Lawrence C.
Zandi; Aria |
Kitty Hawk
Greensboro
New Carlisle |
NC
NC
IN |
US
US
US |
|
|
Assignee: |
INTERNATIONAL BUSINESS MACHINES
CORPORATION
Armonk
NY
|
Family ID: |
47912751 |
Appl. No.: |
13/246930 |
Filed: |
September 28, 2011 |
Current U.S.
Class: |
726/1 |
Current CPC
Class: |
H04L 63/0227 20130101;
H04L 63/0263 20130101; G06F 21/552 20130101 |
Class at
Publication: |
726/1 |
International
Class: |
G06F 21/00 20060101
G06F021/00 |
Claims
1. A method of managing a security policy, said method comprising:
a computer receiving a first specification set, a second
specification set and a third specification set, wherein said first
specification set maps each service of a first set of services to a
corresponding service of a second set of services based on each
service of said first set of services requiring communication with
said corresponding service of said second set of services, wherein
said first and second set of services are included in a plurality
of services, wherein said second specification set maps each
service of said plurality of services to one or more corresponding
devices of a plurality of devices, and wherein said third
specification set maps each device of said plurality of devices to
one or more network addresses; said computer combining said
received first, second and third specification sets by mapping said
first, second and third specification sets to a plurality of packet
filtering rule statements; and a processor of said computer
generating said security policy as a plurality of packet filtering
rules based on said combined first, second and third specification
sets and said plurality of packet filtering rule statements,
wherein each packet filtering rule of said plurality of packet
filtering rules specifies a corresponding source network address or
range of source network addresses, a corresponding destination
network address or range of destination network addresses, a
corresponding port or range of ports, a corresponding protocol and
a corresponding action.
2. The method of claim 1, further comprising: determining a
modification to a deployment of an application associated with said
plurality of services; determining one or more specification sets
of said first, second and third specification sets are affected by
said modification to said deployment and determining any other
specification set of said first, second and third specification
sets is unaffected by said modification to said deployment;
independently modifying said affected one or more specification
sets based on said modification to said deployment, wherein said
independently modifying does not require knowledge of said any
other specification set of said first, second and third
specification sets unaffected by said modification to said
deployment; said computer receiving said independently modified one
or more specification sets; said computer combining said received,
independently modified one or more specification sets and said any
other specification set by mapping said received, independently
modified one or more specification sets and said any other
specification set to an updated plurality of packet filtering rule
statements; and said computer updating said plurality of packet
filtering rules based on said combined, received, and independently
modified one or more specification sets.
3. The method of claim 2, wherein said updating said plurality of
packet filtering rules includes: leaving at least one packet
filtering rule of said plurality of packet filtering rules
unchanged; performing at least one of: adding a first subset of
packet filtering rule(s) to said plurality of packet filtering
rules; deleting a second subset of packet filtering rule(s) from
said plurality of packet filtering rules: and modifying a third
subset of packet filtering rule(s) included in said plurality of
packet filtering rules; and generating a delta set that indicates
at least one of: said added packet filtering rule(s) in said first
subset, said deleted packet filtering rule(s) in said second
subset, and said modified packet filtering rule(s) in said third
subset, wherein said delta set does not indicate said at least one
packet filtering rule left unchanged by said updating said
plurality of packet filtering rules, wherein said method further
comprises outputting said delta set to a computer file so that said
computer file includes one or more packet filtering rules of said
plurality of packet filtering rules that are changed by said
updating said plurality of packet filtering rules and so that said
computer file does not include said at least one packet filtering
rule left unchanged by said updating said plurality of packet
filtering rules.
4. The method of claim 2, wherein said updating said plurality of
packet filtering rules includes performing at least one of: adding
a first subset of packet filtering rule(s) to said plurality of
packet filtering rules; deleting a second subset of packet
filtering rule(s) from said plurality of packet filtering rules;
and modifying a third subset of packet filtering rule(s) included
in said plurality of packet filtering rules, wherein said updated
plurality of packet filtering rules includes one or more packet
filtering rules changed by said adding, said deleting, and said
modifying, wherein said updated plurality of packet filtering rules
further includes one or more other packet filtering rules unchanged
by said adding, said deleting and said modifying, wherein said
method further comprises outputting said updated plurality of
packet filtering rules to a computer file so that said computer
file includes a replacement for said security policy, and wherein
said replacement includes said one or more packet filtering rules
changed by said adding, said deleting, and said modifying, and
further includes said one or more other packet filtering rules
unchanged by said adding, said deleting, and said modifying.
5. The method of claim 2, wherein said determining said
modification to said deployment of said application includes
determining a change in a network address of a device of said
plurality of devices, wherein said determining one or more
specification sets of said first, second and third specification
sets are affected by said modification to said deployment includes
determining said third specification set is affected by said change
in said network address of said device, wherein said determining
any other specification set of said first, second and third
specification sets is unaffected by said modification to said
deployment includes determining said first and second specification
sets are unaffected by said change in said network address of said
device, wherein said independently modifying said affected one or
more specification sets includes modifying said third specification
set by mapping one or more devices of said plurality of devices to
a corresponding one or more other network addresses, wherein said
modifying said third specification set does not require knowledge
of said first and second specification sets that are unaffected by
said change in said network address of said device, wherein said
receiving said independently modified one or more specification
sets includes receiving said modified third specification set,
wherein said combining said received, independently modified one or
more specification sets and said any other specification set
includes combining said modified third specification set and said
first and second specification sets by mapping said received,
modified third specification set with said first and second
specification sets to said updated plurality of packet filtering
rule statements, and wherein said updating said plurality of packet
filtering rules based on said combined, received, and independently
modified one or more specification sets includes updating said
plurality of packet filtering rules based on said modified third
specification set and said first and second specification sets.
6. The method of claim 2, wherein said determining said
modification to said deployment of said application includes
determining a redistribution of a service of said plurality of
services to another device of said plurality of devices, wherein
said determining one or more specification sets of said first,
second and third specification sets are affected by said
modification to said deployment includes determining said second
specification set is affected by said redistribution of said
service to said another device, wherein said determining any other
specification set of said first, second and third specification
sets is unaffected by said modification to said deployment includes
determining said first and third specification sets are unaffected
by said redistribution of said service to said another device,
wherein said independently modifying said affected one or more
specification sets includes modifying said second specification set
by mapping said service to said another device, wherein said
modifying said second specification set does not require knowledge
of said first and third specification sets that are unaffected by
said redistribution of said service to said another device, wherein
said receiving said independently modified one or more
specification sets includes receiving said modified second
specification set, wherein said combining said received,
independently modified one or more specification sets and said any
other specification set includes combining said modified second
specification set and said first and third specification sets by
mapping said received, modified second specification set with said
first and third specification sets to said updated plurality of
packet filtering rule statements, and wherein said updating said
plurality of packet filtering rules based on said combined,
received, and independently modified one or more specification sets
includes updating said plurality of packet filtering rules based on
said modified second specification set and said first and third
specification sets.
7. The method of claim 2, wherein said determining said
modification to said deployment of said application includes
determining a change in a number of instantiations of a service of
said plurality of services, wherein said change in said number of
instantiations is associated with a new device added to said
plurality of devices or a device deleted from said plurality of
devices, wherein said determining one or more specification sets of
said first, second and third specification sets are affected by
said modification to said deployment includes determining said
second and third specification sets are affected by said change in
said number of instantiations of said service, wherein said
determining any other specification set of said first, second and
third specification sets is unaffected by said modification to said
deployment includes determining said first specification set is
unaffected by said change in said number of instantiations of said
service, wherein said independently modifying said affected one or
more specification sets includes: modifying said second
specification set by adding a mapping of a new instantiation of
said service to said new device if said change in said number of
instantiations of said service is associated with said new device
or by deleting a mapping of an existing instantiation of said
service to said device of said plurality of devices if said change
in said number of instantiations of said service is associated with
said device deleted from said plurality of devices; and modifying
said third specification set by adding a mapping of said new device
to a corresponding one or more other network addresses if said
change in said number of instantiations of said service is
associated with said new device or by deleting a mapping of said
device to said one or more network addresses if said change in said
number of instantiations of said service is associated with said
device, wherein said modifying said second and third specification
sets does not require knowledge of said first specification set
that is unaffected by said change in said number of instantiations
of said service, wherein said receiving said independently modified
one or more specification sets includes receiving said modified
second and third specification sets, wherein said combining said
received, independently modified one or more specification sets and
said any other specification set includes combining said modified
second and third specification sets and said first specification
set by mapping said received, modified second and third
specification sets with said first specification set to said
updated plurality of packet filtering rule statements, and wherein
said updating said plurality of packet filtering rules based on
said combined, received, and independently modified one or more
specification sets includes updating said plurality of packet
filtering rules based on said modified second and third
specification sets and said first specification set.
8. The method of claim 1, further comprising: subsequent to said
generating said security policy and based on said security policy,
said computer controlling network traffic flows required by an
instance of an application associated with said plurality of
services and said plurality of devices; subsequent to said
generating said security policy, said computer determining a
deployment of a new instance of said application; determining said
second and third specification sets are affected by said deployment
of said new instance of said application; determining said first
specification set is unaffected by said deployment of said new
instance of said application; independently modifying said second
and third specification sets, wherein said independently modifying
includes: modifying said second specification set by mapping each
service of said plurality of services to one or more corresponding
devices of a second plurality of devices having network addresses
different from other network addresses of said plurality of
devices; and modifying said third specification set by mapping at
least one new device of said second plurality of devices to a
corresponding one or more network addresses, wherein said new
device is not included in said plurality of devices, wherein said
independently modifying does not require knowledge of said first
specification set; said computer receiving said independently
modified second and third specification sets; said computer
combining said received, independently modified second and third
specification sets and said first specification set by mapping said
received, independently modified second and third specification
sets and said first specification set to an updated plurality of
packet filtering rule statements; and said computer re-generating
said security policy as an update of said plurality of packet
filtering rules based on said combined, received, and independently
modified second and third specification sets and said first
specification set, and based on said updated plurality of packet
filtering rule statements.
9. A computer program product, comprising a computer-readable,
tangible storage device having a computer-readable program code
stored therein, said computer-readable program code containing
instructions that are carried out by a central processing unit
(CPU) of a computer system to implement a method of managing a
security policy, said method comprising: receiving a first
specification set, a second specification set and a third
specification set, wherein said first specification set maps each
service of a first set of services to a corresponding service of a
second set of services based on each service of said first set of
services requiring communication with said corresponding service of
said second set of services, wherein said first and second set of
services are included in a plurality of services, wherein said
second specification set maps each service of said plurality of
services to one or more corresponding devices of a plurality of
devices, and wherein said third specification set maps each device
of said plurality of devices to one or more network addresses;
combining said received first, second and third specification sets
by mapping said first, second and third specification sets to a
plurality of packet filtering rule statements; and said CPU of said
computer system generating said security policy as a plurality of
packet filtering rules based on said combined first, second and
third specification sets and said plurality of packet filtering
rule statements, wherein each packet filtering rule of said
plurality of packet filtering rules specifies a corresponding
source network address or range of source network addresses, a
corresponding destination network address or range of destination
network addresses, a corresponding port or range of ports, a
corresponding protocol and a corresponding action.
10. The program product of claim 9, wherein said method further
comprises: receiving one or more specification sets of said first,
second and third specification sets that are affected by a
modification to a deployment of an application associated with said
plurality of services and that are independently modified based on
said modification to said deployment, without requiring knowledge
of any other specification set unaffected by said modification to
said deployment; combining said received, independently modified
one or more specification sets and said any other specification set
by mapping said received, independently modified one or more
specification sets and said any other specification set to an
updated plurality of packet filtering rule statements; and updating
said plurality of packet filtering rules based on said combined,
received, and independently modified one or more specification
sets.
11. The program product of claim 10, wherein said updating said
plurality of packet filtering rules includes: leaving at least one
packet filtering rule of said plurality of packet filtering rules
unchanged; performing at least one of: adding a first subset of
packet filtering rule(s) to said plurality of packet filtering
rules; deleting a second subset of packet filtering rule(s) from
said plurality of packet filtering rules: and modifying a third
subset of packet filtering rule(s) included in said plurality of
packet filtering rules; and generating a delta set that indicates
at least one of: said added packet filtering rule(s) in said first
subset, said deleted packet filtering rule(s) in said second
subset, and said modified packet filtering rule(s) in said third
subset, wherein said delta set does not indicate said at least one
packet filtering rule left unchanged by said updating said
plurality of packet filtering rules, wherein said method further
comprises outputting said delta set to a computer file so that said
computer file includes one or more packet filtering rules of said
plurality of packet filtering rules that are changed by said
updating said plurality of packet filtering rules and so that said
computer file does not include said at least one packet filtering
rule left unchanged by said updating said plurality of packet
filtering rules.
12. The program product of claim 10, wherein said updating said
plurality of packet filtering rules includes performing at least
one of: adding a first subset of packet filtering rule(s) to said
plurality of packet filtering rules; deleting a second subset of
packet filtering rule(s) from said plurality of packet filtering
rules; and modifying a third subset of packet filtering rule(s)
included in said plurality of packet filtering rules, wherein said
updated plurality of packet filtering rules includes one or more
packet filtering rules changed by said adding, said deleting, and
said modifying, wherein said updated plurality of packet filtering
rules further includes one or more other packet filtering rules
unchanged by said adding, said deleting and said modifying, wherein
said method further comprises outputting said updated plurality of
packet filtering rules to a computer file so that said computer
file includes a replacement for said security policy, and wherein
said replacement includes said one or more packet filtering rules
changed by said adding, said deleting, and said modifying, and
further includes said one or more other packet filtering rules
unchanged by said adding, said deleting, and said modifying.
13. A computer system comprising: a central processing unit (CPU);
a memory coupled to said CPU; a computer-readable, tangible storage
device coupled to said CPU, said storage device containing
instructions that are carried out by said CPU via said memory to
implement a method of managing a security policy, said method
comprising: receiving a first specification set, a second
specification set and a third specification set, wherein said first
specification set maps each service of a first set of services to a
corresponding service of a second set of services based on each
service of said first set of services requiring communication with
said corresponding service of said second set of services, wherein
said first and second set of services are included in a plurality
of services, wherein said second specification set maps each
service of said plurality of services to one or more corresponding
devices of a plurality of devices, and wherein said third
specification set maps each device of said plurality of devices to
one or more network addresses; combining said received first,
second and third specification sets by mapping said first, second
and third specification sets to a plurality of packet filtering
rule statements; and said CPU of said computer system generating
said security policy as a plurality of packet filtering rules based
on said combined first, second and third specification sets and
said plurality of packet filtering rule statements, wherein each
packet filtering rule of said plurality of packet filtering rules
specifies a corresponding source network address or range of source
network addresses, a corresponding destination network address or
range of destination network addresses, a corresponding port or
range of ports, a corresponding protocol and a corresponding
action.
14. The computer system of claim 13, wherein said method further
comprises: receiving one or more specification sets of said first,
second and third specification sets that are affected by a
modification to a deployment of an application associated with said
plurality of services and that are independently modified based on
said modification to said deployment, without requiring knowledge
of any other specification set unaffected by said modification to
said deployment; combining said received, independently modified
one or more specification sets and said any other specification set
by mapping said received, independently modified one or more
specification sets and said any other specification set to an
updated plurality of packet filtering rule statements; and updating
said plurality of packet filtering rules based on said combined,
received, and independently modified one or more specification
sets.
15. The computer system method of claim 14, wherein said updating
said plurality of packet filtering rules includes: leaving at least
one packet filtering rule of said plurality of packet filtering
rules unchanged; performing at least one of: adding a first subset
of packet filtering rule(s) to said plurality of packet filtering
rules; deleting a second subset of packet filtering rule(s) from
said plurality of packet filtering rules: and modifying a third
subset of packet filtering rule(s) included in said plurality of
packet filtering rules; and generating a delta set that indicates
at least one of: said added packet filtering rule(s) in said first
subset, said deleted packet filtering rule(s) in said second
subset, and said modified packet filtering rule(s) in said third
subset, wherein said delta set does not indicate said at least one
packet filtering rule left unchanged by said updating said
plurality of packet filtering rules, wherein said method further
comprises outputting said delta set to a computer file so that said
computer file includes one or more packet filtering rules of said
plurality of packet filtering rules that are changed by said
updating said plurality of packet filtering rules and so that said
computer file does not include said at least one packet filtering
rule left unchanged by said updating said plurality of packet
filtering rules.
16. The computer system of claim 14, wherein said updating said
plurality of packet filtering rules includes performing at least
one of: adding a first subset of packet filtering rule(s) to said
plurality of packet filtering rules; deleting a second subset of
packet filtering rule(s) from said plurality of packet filtering
rules; and modifying a third subset of packet filtering rule(s)
included in said plurality of packet filtering rules, wherein said
updated plurality of packet filtering rules includes one or more
packet filtering rules changed by said adding, said deleting, and
said modifying, wherein said updated plurality of packet filtering
rules further includes one or more other packet filtering rules
unchanged by said adding, said deleting and said modifying, wherein
said method further comprises outputting said updated plurality of
packet filtering rules to a computer file so that said computer
file includes a replacement for said security policy, and wherein
said replacement includes said one or more packet filtering rules
changed by said adding, said deleting, and said modifying, and
further includes said one or more other packet filtering rules
unchanged by said adding, said deleting, and said modifying.
17. A process for supporting computing infrastructure, said process
comprising providing at least one support service for at least one
of creating, integrating, hosting, maintaining, and deploying
computer-readable code in a computer system comprising a central
processing unit (CPU), wherein said CPU carries out instructions
contained in said code causing said computer system to perform a
method of managing a security policy, wherein said method
comprises: said computer system receiving a first specification
set, a second specification set and a third specification set,
wherein said first specification set maps each service of a first
set of services to a corresponding service of a second set of
services based on each service of said first set of services
requiring communication with said corresponding service of said
second set of services, wherein said first and second set of
services are included in a plurality of services, wherein said
second specification set maps each service of said plurality of
services to one or more corresponding devices of a plurality of
devices, and wherein said third specification set maps each device
of said plurality of devices to one or more network addresses; said
computer system combining said received first, second and third
specification sets by mapping said first, second and third
specification sets to a plurality of packet filtering rule
statements; and said CPU of said computer system generating said
security policy as a plurality of packet filtering rules based on
said combined first, second and third specification sets and said
plurality of packet filtering rule statements, wherein each packet
filtering rule of said plurality of packet filtering rules
specifies a corresponding source network address or range of source
network addresses, a corresponding destination network address or
range of destination network addresses, a corresponding port or
range of ports, a corresponding protocol and a corresponding
action.
18. The process of claim 17, wherein said method further comprises:
receiving one or more specification sets of said first, second and
third specification sets that are affected by a modification to a
deployment of an application associated with said plurality of
services and that are independently modified based on said
modification to said deployment, without requiring knowledge of any
other specification set unaffected by said modification to said
deployment; combining said received, independently modified one or
more specification sets and said any other specification set by
mapping said received, independently modified one or more
specification sets and said any other specification set to an
updated plurality of packet filtering rule statements; and updating
said plurality of packet filtering rules based on said combined,
received, and independently modified one or more specification
sets.
19. The process of claim 18, wherein said updating said plurality
of packet filtering rules includes: leaving at least one packet
filtering rule of said plurality of packet filtering rules
unchanged; performing at least one of: adding a first subset of
packet filtering rule(s) to said plurality of packet filtering
rules; deleting a second subset of packet filtering rule(s) from
said plurality of packet filtering rules: and modifying a third
subset of packet filtering rule(s) included in said plurality of
packet filtering rules; and generating a delta set that indicates
at least one of: said added packet filtering rule(s) in said first
subset, said deleted packet filtering rule(s) in said second
subset, and said modified packet filtering rule(s) in said third
subset, wherein said delta set does not indicate said at least one
packet filtering rule left unchanged by said updating said
plurality of packet filtering rules, wherein said method further
comprises outputting said delta set to a computer file so that said
computer file includes one or more packet filtering rules of said
plurality of packet filtering rules that are changed by said
updating said plurality of packet filtering rules and so that said
computer file does not include said at least one packet filtering
rule left unchanged by said updating said plurality of packet
filtering rules.
20. The process of claim 18, wherein said updating said plurality
of packet filtering rules includes performing at least one of:
adding a first subset of packet filtering rule(s) to said plurality
of packet filtering rules; deleting a second subset of packet
filtering rule(s) from said plurality of packet filtering rules;
and modifying a third subset of packet filtering rule(s) included
in said plurality of packet filtering rules, wherein said updated
plurality of packet filtering rules includes one or more packet
filtering rules changed by said adding, said deleting, and said
modifying, wherein said updated plurality of packet filtering rules
further includes one or more other packet filtering rules unchanged
by said adding, said deleting and said modifying, wherein said
method further comprises outputting said updated plurality of
packet filtering rules to a computer file so that said computer
file includes a replacement for said security policy, and wherein
said replacement includes said one or more packet filtering rules
changed by said adding, said deleting, and said modifying, and
further includes said one or more other packet filtering rules
unchanged by said adding, said deleting, and said modifying.
Description
TECHNICAL FIELD
[0001] The present invention relates to a data processing method
and system for managing a security policy, and more particularly to
a data processing technique for creating and maintaining end-to-end
packet filtering rules in a security policy.
BACKGROUND
[0002] Packet filtering rules are a collection of rule statements
written in a dense language. Each rule statement specifies
permissions for a particular network connection across a packet
filtering device. Each rule statement includes a network address
for the source of a packet, another network address for the
destination of the packet, a protocol specification, a port
specification, and an action, such as permit or deny the
communication of the packet. A rule statement compacts a
significant amount of information into a concise statement, which
must be exact.
BRIEF SUMMARY
[0003] Embodiments of the present invention provide a method of
managing a security policy. The method comprises:
[0004] A computer receiving a first specification set, a second
specification set and a third specification set, wherein the first
specification set maps each service of a first set of services to a
corresponding service of a second set of services based on each
service of the first set of services requiring communication with
the corresponding service of the second set of services, wherein
the first and second set of services are included in a plurality of
services, wherein the second specification set maps each service of
the plurality of services to one or more corresponding devices of a
plurality of devices, and wherein the third specification set maps
each device of the plurality of devices to one or more network
addresses;
[0005] The computer combining the received first, second and third
specification sets by mapping the first, second and third
specification sets to a plurality of packet filtering rule
statements; and
[0006] A processor of the computer generating the security policy
as a plurality of packet filtering rules based on the combined
first, second and third specification sets and the plurality of
packet filtering rule statements, wherein each packet filtering
rule of the plurality of packet filtering rules specifies a
corresponding source network address or range of source network
addresses, a corresponding destination network address or range of
destination network addresses, a corresponding port or range of
ports, a corresponding protocol and a corresponding action.
[0007] In one aspect of the present invention, the first, second,
and third specification sets are received in the aforementioned
method after being independently generated by different
practitioners.
[0008] In one aspect of the present invention, after the security
policy is generated in the aforementioned method, the security
policy may be maintained by determining an application deployment
modification and independently editing the specification set(s)
that are affected by the application deployment modification, and
without knowledge of specification set(s) that are unaffected by
the application deployment modification.
[0009] A system, program product and a process for supporting
computing infrastructure where the process provides at least one
support service are also described herein, where the system,
program product and process for supporting computing infrastructure
correspond to the aforementioned method.
[0010] Embodiments of the present invention provide distinct
sub-tasks for developing packet filtering rules, which yield simple
and highly independent specification sets that can be individually
edited and maintained, and can be automatically combined to form a
complete security policy with consistently higher quality and lower
cost than existing manual processes. Furthermore, the independent
specification sets provide modularity and resilience that allow
network traffic flow specifications to remain stable in response to
a change in a network address of a device, a redistribution of
services on devices, or a change in the number of instantiations of
a service. The modularity of the specification sets provides simple
and direct production of delta sets, which support incremental
additions, deletions and/or updates to an existing security policy
without requiring replacement of the entire security policy.
BRIEF DESCRIPTION OF THE DRAWINGS
[0011] FIG. 1 is a block diagram of a system for managing a
security policy, in accordance with embodiments of the present
invention.
[0012] FIG. 2 is a flowchart of a process that includes creating a
security policy, where the process is implemented in the system of
FIG. 1, in accordance with embodiments of the present
invention.
[0013] FIG. 3 is a flowchart of a process of maintaining a security
policy, where the process is implemented in the system of FIG. 1,
in accordance with embodiments of the present invention.
[0014] FIG. 4 is a block diagram of a computer system that is
included in the system of FIG. 1 and that implements the processes
of FIG. 2 and FIG. 3, in accordance with embodiments of the present
invention.
DETAILED DESCRIPTION
Overview
[0015] The present invention recognizes that known methods for
managing packet filtering rules include a single practitioner
manually writing and/or manually editing firewall rules to meet a
given business requirement, which is a complex and error-prone
task. The present invention also recognizes that known methods of
deploying an installed system at another location require a tedious
and error-prone reviewing of all rule statements to determine what
manual editing is necessary for the deployment at the other
location. The present invention further recognizes that a designer
thinks in terms of service names and data flow names, rather than
in terms of network addresses and port numbers required in packet
filtering rule statements; therefore, an error in a low-level
packet filtering rule statement, such as transposed digits, is
extremely difficult to detect.
[0016] Embodiments of the present invention may provide a method
and system for managing a security policy, which includes a
simplified technique for creating and maintaining packet filtering
rules included in the security policy. In one embodiment, the
security policy being managed by the embodiments presented herein
is an end-to-end or enterprise security policy provided for
multiple packet filtering devices. The known complex and error
prone task of developing packet filtering rules may be divided into
new, less complex, and distinct sub-tasks that are performed by
multiple corresponding practitioners. Each of the multiple
practitioners (e.g., designers) can work on completing the
sub-tasks independently of the others, thereby limiting the scope
of any necessary modifications and supporting a higher level of
verification. Completing the packet filtering rule development
sub-tasks results in high-level specification sets that can be
independently edited and maintained. A computer automatically
combines the specification sets to form a computer network traffic
security policy by mapping the high-level specification sets to
detailed, complex packet filtering rule statements. Each resulting
packet filtering rule statement is expressed in terms of numbers
that specify a source network address or a range of source network
addresses, a destination network address or a range of destination
network addresses, a protocol specification, a port or a range of
ports, and an action such as permit or deny the communication of a
packet via a packet filtering device.
[0017] Based on the complex packet filtering rule statements mapped
to the combined specification sets, packet filtering rules are
modified in, added to, and/or deleted from an existing security
policy to generate either a delta set of packet filtering rules
that includes only updates to the existing security policy or that
includes an updated version of the entire security policy, where
the updated version replaces the entire existing security policy.
The delta set may be used to update the existing security policy
without replacing the entire existing security policy.
[0018] Embodiments of the present invention may allow people and
machines to do what each does best. That is, human system designers
are allowed to generate high-level specifications of packet
filtering rules in terms of high-level concepts related to
requirements for control of network traffic, while a computer
process handles the mapping of the high-level specifications to
detailed packet filtering rule statements expressed in terms of
numbers.
[0019] A system designer conceptualizes the network traffic flows
in terms of opening paths between services, but packet filtering
rules are written in terms of the network addresses of the devices
on which the services are deployed. A single services-level flow
may generate many specific rules in a typical distributed
deployment, where the services are instantiated on multiple devices
in order to provide redundancy and capacity. Embodiments of the
present invention may allow one practitioner to specify what
services need to communicate with other services, while another
practitioner specifies the devices on which the services are
placed, and yet another practitioner specifies network addresses of
the devices. The security policy creation and maintenance tool
disclosed herein may combine each service flow specification with
service distribution specifications, and with device address
specifications, thereby generating packet filtering rules written
in terms of network addresses, ports, protocols and actions. The
generated packet filtering rules specify a security policy used to
filter packets sent between computer devices, where there is a
many-to-many relationship between computer devices that are a
source of the packets and computer devices that are a destination
of the packets.
System for Managing a Security Policy
[0020] FIG. 1 is a block diagram of a system for managing a
security policy, in accordance with embodiments of the present
invention. System 100 includes a computer system 102, which runs a
software-based security policy creation and maintenance tool 104.
Security policy creation and maintenance tool 104 receives first,
second and third specifications sets, which are a service flow
specification set 106, a service placement specification set 108,
and a device address specification set 110, respectively.
[0021] Service flow specification set 106 maps each service of a
first set of services to a corresponding service of a second set of
services based on each service of the first set of services
requiring communication with the corresponding service of the
second set of services. A plurality of services consists of the
first and second set of services. Service placement specification
set 108 maps each service of the plurality of services to one or
more corresponding devices of a plurality of devices. Device
address specification set 110 maps each device of the plurality of
devices to one or more network addresses.
[0022] Tool 104 automatically maps the specification sets 106, 108,
110 to a plurality of packet filtering rule statements. Tool 104
generates a security policy 112 (a.k.a. a collection of packet
filtering rules). A packet filtering device 114 (e.g., a firewall)
in system 100 receives security policy 112 and uses the security
policy 112 to filter packets being sent from one or more source
computer devices 116-1 . . . 116-M to one or more destination
computer devices 118-1 . . . 118-N, where M.gtoreq.1 and
N.gtoreq.1). In one embodiment, source device(s) 116-1 . . . 116-M
and destination device(s) 118-1 . . . 118-N are computer systems
communicating with each other via a computer network.
[0023] In another embodiment, system 100 may include multiple
packet filtering devices, and tool 104 may provide a security
policy across the multiple packet filtering devices. For example,
an enterprise or application may have multiple firewalls that are
supported by tool 104.
[0024] Computer system 102 may include hardware and software
components, which are described below relative to FIG. 4.
[0025] The functionality of the components of system 100 is further
described below relative to FIG. 2, FIG. 3 and FIG. 4.
Process for Creating a Security Policy
[0026] FIG. 2 is a flowchart of a process that includes creating a
security policy, where the process is implemented in the system of
FIG. 1, in accordance with embodiments of the present invention.
The process of creating a security policy starts at step 200. Steps
202, 204 and 206 may be performed in any order. Further, two or
more of the steps 202, 204 and 206 may be performed in parallel or
partly in parallel.
[0027] Steps 202, 204 and 206 provide modularity by allowing the
compartmentalization of the sub-tasks of developing independent
specification sets 106, 108, 110 (see FIG. 1). Because of the
compartmentalization, different practitioners, without overlap, may
develop the independent specification sets. In one embodiment, each
of the specification sets 106, 108, 110 (see FIG. 1) is defined and
managed by a different person. By separating the sub-tasks,
interdependencies are reduced, which enables more thorough
verification. Division into independent specification sets reduces
the risk of unintentional change, which may not be discovered and
corrected until much later in the process and at a greater
cost.
[0028] In step 202, a practitioner generates service flow
specification set 106 (see FIG. 1) by mapping what services of the
plurality of services need to communicate with what other services
of the plurality of services.
[0029] In step 204, a practitioner generates service placement
specification set 108 (see FIG. 1) by mapping a distribution of the
plurality of services onto the plurality of devices, where each
service may be mapped to one or more devices.
[0030] In step 206, a practitioner generates device address
specification set 110 by mapping each device of the plurality of
devices to one or more corresponding specific network
addresses.
[0031] In one embodiment, the practitioners performing steps 202,
204 and 206 are first, second and third practitioners who are three
different users of system 100 (see FIG. 1). In another embodiment,
a first practitioner performs exactly two of the steps 202, 204 and
206 and a second practitioner who is different from the first
practitioner performs the other step of the steps 202, 204 and 206.
In yet another embodiment, the same practitioner performs all three
of the steps 202, 204 and 206.
[0032] As one example, steps 202, 204 and 206 may generate and
store the specification sets in a worksheet provided by a
spreadsheet program. In one embodiment, steps 202, 204 and 206
generate the specification sets by populating simple tables and do
not require any proficiency in writing specifications in a model
definition language (e.g., a language for defining an instance of
an entity-relationship model).
[0033] After all of steps 202, 204 and 206 are completed, then step
208 is performed. In step 208, security policy creation and
maintenance tool 104 (see FIG. 1) receives the specification sets
generated in steps 202, 204 and 206.
[0034] In step 210, tool 104 (see FIG. 1) combines service flow
specification set 106 (see FIG. 1), service placement specification
set 108 (see FIG. 1), and device address specification set 110 (see
FIG. 1) by mapping the aforementioned specification sets to packet
filtering rule statements.
[0035] In step 212, tool 104 (see FIG. 1) automatically generates
packet filtering rules (i.e., security policy 112 in FIG. 1) based
on the combined specification sets 106, 108 and 110 (see FIG. 1)
and the aforementioned packet filtering rule statements. Each
packet filtering rule of the generated packet filtering rules
specifies a source network address or a range of source network
addresses, a destination network address or a range of destination
network addresses, a port or a range of ports, a protocol, and an
action, such as permit or deny the sending of a packet from a
source device of source device(s) 116-1 . . . 116-M (see FIG. 1) to
a destination device of destination device(s) 118-1 . . . 118-N
(see FIG. 1) via packet filtering device 114 (see FIG. 1). The
process of creating a security policy ends after step 212.
[0036] In step 214, tool 104 (see FIG. 1) outputs to a computer
file the packet filtering rules generated in step 212. In one
embodiment, subsequent to step 214 and prior to step 216, a person
receives the computer file that includes the packet filtering rules
(e.g., by manually receiving a storage device that stores the
computer file or by receiving an email), and the person
subsequently inputs the computer file to packet filtering device
114 (see FIG. 1). In another embodiment, subsequent to step 214 and
prior to step 216, tool 104 (see FIG. 1) automatically sends the
computer file that includes the packet filtering rules to packet
filtering device 114 (see FIG. 1).
[0037] In step 216, packet filtering device 114 (see FIG. 1)
receives the packet filtering rules and subsequently may use the
received packet filtering rules to filter packets sent by the
source device referenced in step 212 to the destination device
referenced in step 212. After step 216, the implementation of the
security policy is complete.
[0038] In step 218, the process of FIG. 2 ends.
Process for Maintaining a Security Policy
[0039] FIG. 3 is a flowchart of a process of maintaining a security
policy, where the process is implemented in the system of FIG. 1,
in accordance with embodiments of the present invention. The
process of maintaining a security policy starts at step 300. In
step 302, one or more practitioners determine a modification to a
deployment of an application that employs the plurality of
services. Hereinafter, the modification to a deployment of the
application is also referred to as an application deployment
modification.
[0040] Changes required by an application deployment modification
are, in some cases, limited to changes to one or two of the three
specification sets 106, 108, 110 (see FIG. 1). Since there is a
high degree of independence between the specification sets, the
limited scope of the change improves overall resilience by focusing
verification, and by reducing the occurrence of cascading
errors.
[0041] Application deployment modification may be necessary for
reasons such as:
[0042] A change in the network address of a device
[0043] Services are redistributed on devices to better balance the
system
[0044] The number of instantiations of a service changes due to
changes in application load
[0045] In step 304, one or more practitioners determine whether
exactly one, exactly two, or all three of the specification sets
106, 108, 110 (see FIG. 1) are affected by the application
deployment modification determined in step 302.
[0046] If exactly one of the specification sets 106, 108, 110 (see
FIG. 1) is determined to be affected by the application deployment
modification, then the other specification sets are determined to
be unaffected by the application deployment modification. If
exactly two of the specification sets 106, 108, 110 (see FIG. 1)
are determined to be affected by the application deployment
modification, then the other specification set is determined to be
unaffected by the application deployment modification.
[0047] Table 1 lists examples of types of application deployment
modifications and what specification set(s) are affected or
unaffected by the type of modification. It should be noted that in
all cases in Table 1, and indeed any changes requiring regeneration
of the service policy, that if a service specification set is not
affected, no further knowledge of the specification set is
required, and the practitioner responsible for the specification
set need not even be aware of the changes in other specification
sets or regeneration of the security policy.
TABLE-US-00001 TABLE 1 Type of Specification Set Affected?
Modification Service Flow Service Placement Device Address Device
network No; the flow No; services are Yes; device address is
between still on the network changes the same same devices
addresses logical services are changed Services are No; the flow
Yes; services are No; the number redistributed is between the
placed on and addresses on devices same logical different devices
of devices has services not changed Number of No; the flow
Possible; Yes; new service is between additional service devices
are instantiations the same instances are introduced or changes
logical services placed on the devices are same number or
eliminated on a different number of devices, or service instances
are deleted A new service Yes; the new Yes; the new No; the device
is added to an service has service is on which the existing device
new flows placed on a service is placed device is an existing
device A new flow is Yes; the flow No; the service No; the device
added to an being added is to which the is an existing existing
service a new flow new flow is device on an existing added is an
device existing service
[0048] If exactly one of the specification sets 106, 108, 110 (see
FIG. 1) is determined to be affected in step 304, then in step 306
a single practitioner modifies the affected specification set
without requiring any knowledge of the unaffected specification
sets.
[0049] If exactly two of the specification sets 106, 108, 110 (see
FIG. 1) are determined to be affected in step 304, then in step
306, practitioner(s) modify the two affected specification sets. In
one embodiment, two different practitioners modify the affected
specification sets, where each of the two practitioners modifies a
respective affected specification set independently of the other
practitioner and where the two practitioners do not require
knowledge of the unaffected specification set.
[0050] If exactly three of the specification sets 106, 108, 110
(see FIG. 1) are determined to be affected in step 304, then in
step 306, practitioner(s) modify the three affected specification
sets. In one embodiment, three different practitioners modify the
affected specification sets, where each of the three practitioners
modifies a respective affected specification set independently of
the other practitioners.
[0051] The modified specification set(s) made in step 306 are based
on the application deployment modification determined in step 302.
The modified specification set(s), which are known to be correct,
are used in the following steps to automatically regenerate packet
filtering rules (e.g., firewall rules)
[0052] In step 308, security policy creation and maintenance tool
104 (see FIG. 1) receives the specification set(s) modified in step
306.
[0053] In step 310, tool 104 (see FIG. 1) combines specification
sets 106, 108, 110 (see FIG. 1) by mapping the aforementioned
specification sets to packet filtering rule statements.
[0054] In step 312, tool 104 (see FIG. 1) automatically updates
packet filtering rules (i.e., security policy 112 in FIG. 1) based
on the specification sets 106, 108 and 110 (see FIG. 1) combined in
step 310 and based on the packet filtering rule statements
described above relative to step 310. Each packet filtering rule of
the updated packet filtering rules specifies a source network
address or a range of source network addresses, a destination
network address or a range of destination network addresses, a port
or a range of ports, a protocol, and an action, such as permit or
deny the sending of a packet from one or more source devices of
source device(s) 116-1 . . . 116-M (see FIG. 1) to one or more
destination devices of destination device(s) 118-1 . . . 118-N (see
FIG. 1) via packet filtering device 114 (see FIG. 1).
[0055] In step 314, tool 104 (see FIG. 1) outputs to a computer
file the updates to the packet filtering rules as indicated in the
updating performed in step 312. In one embodiment, the updates to
the packet filtering rules output to the computer file include
packet filtering rules added to, deleted from and/or modified in an
existing security policy (i.e., a delta set of packet filtering
rules), without including unchanged packet filtering rules (i.e.,
without including the entire security policy). In another
embodiment, step 314 includes outputting to the computer file the
updated version of the entire security policy, which includes
results of the updating performed in step 312 and the packet
filtering rules that were unchanged by the updating performed in
step 312.
[0056] In one embodiment, subsequent to step 314 and prior to step
316, a person (e.g., network specialist) receives the computer file
that includes the updated packet filtering rules (e.g., by manually
receiving a storage device that stores the computer file or by
receiving an email), and subsequently inputs the received computer
file to the packet filtering device 114 (see FIG. 1). In another
embodiment, subsequent to step 314 and prior to step 316, tool 104
(see FIG. 1) automatically sends the computer file that includes
the updated packet filtering rules to packet filtering device 114
(see FIG. 1).
[0057] In step 316, packet filtering device 114 (see FIG. 1)
receives the updated packet filtering rules and subsequently uses
the updated packet filtering rules to filter packets sent by the
source device(s) referenced in step 312 to the destination
device(s) referenced in step 312.
[0058] In one embodiment, security policy creation and maintenance
tool 104 (see FIG. 1) generates and presents a notification that
includes the packet filtering rules that have changed based on the
update in step 312, but does not include the unchanged packet
filtering rules. Therefore, the packet filtering rule statements
may be generated and updated in step 312 in a way that is
incremental by the provision of a delta rules set.
[0059] In step 318, the process of maintaining a security policy
ends.
[0060] In addition to the modifications discussed above, the
process of FIG. 3 may include determining in step 302 that another
instance of an application is deployed. In this case, the remaining
steps of the process of FIG. 3 regenerate the packet filtering
rules with no change in the service-to-service connections, thereby
demonstrating portability. If changes are made at the location of a
first instance of the application, then those changes are carried
over to the new instance, thereby demonstrating how the process is
repeatable where modifications are preserved. In response to a
modification that includes deploying a new instance of an
application, the service placement specification set 108 (see FIG.
1) and the device address specification set 110 are affected, as
indicated in Table 2.
TABLE-US-00002 TABLE 2 Type of Specification Set Affected?
Modification Service Flow Service Placement Device Address New No;
the flow Yes; services are Yes; new Instance of is between placed
on devices devices are Application the same with network introduced
logical addresses that are services different from the network
addresses of the previous instance
[0061] Further, step 302 may include determining that a service is
added to the system. In this case, a practitioner changes the
service flow specification set 106 (see FIG. 1) to modify the
service flow mapping to incorporate the new service and define how
the new service is connected to other services. The same
practitioner or another practitioner changes the service placement
specification set 108 (see FIG. 1) to indicate a mapping from the
new service to a device. If a new device has not been added, then
the device address specification set 110 (see FIG. 1) is not
changed by the addition of the new service. If a new device is
added to handle the new service, then another practitioner, or the
same practitioner who changes specification set 106 and/or
specification set 108 changes specification set 110 (see FIG. 1).
Again, if multiple practitioners make the aforementioned changes to
the specification sets, then the multiple practitioners make the
necessary changes independently of each other.
[0062] Still further, step 302 may include determining that there
is a change in how existing services communicate with one another.
For example, service A may previously initiate a communication with
service B, and after a change, service B now needs to also be able
to initiate a communication with service A. In this case, a
practitioner changes the service flow specification set 106 (see
FIG. 1) to indicate the change in how the services are
communicating with each other, but specification sets 108 and 110
(see FIG. 1) are unaffected by the change.
[0063] Embodiments of the present invention facilitate reusability.
For example, even on dissimilar applications, non-functional and
operational network traffic flows are often the same. In these
cases, high-level specification sets that specify the
non-functional and operational network traffic flows can be reused
on subsequent projects.
[0064] The high-level network traffic flows may be written in
general terms by service, and each control or data flow may be
liberally commented. Since the network traffic flows are specified
independently of how services are deployed on devices, or how many
instances there are, the specifications corresponding to the
network traffic flows are easy to read. Further, the network
traffic flows have stable definitions because they need not be
modified when there are changes in service deployment. Since the
network traffic flows are easily read, worded in terms that are
familiar to a system designer, and can be liberally commented, the
corresponding specification may be self-documenting.
Computer System
[0065] FIG. 4 is a block diagram of a computer system that is
included in the system of FIG. 1 and that implements the processes
of FIG. 2 and FIG. 3, in accordance with embodiments of the present
invention. Computer system 102 generally comprises a central
processing unit (CPU) 402, a memory 404, an input/output (I/O)
interface 406, and a bus 408. Further, computer system 102 is
coupled to I/O devices 410 and a computer data storage unit 412.
CPU 402 performs computation and control functions of computer
system 102, including carrying out instructions included in program
code 414 to perform a method of managing a security policy, where
the instructions are carried out by CPU 402 via memory 404. CPU 402
may comprise a single processing unit, or be distributed across one
or more processing units in one or more locations (e.g., on a
client and server).
[0066] Memory 404 may comprise any known computer-readable storage
medium, which is described below. In one embodiment, cache memory
elements of memory 404 provide temporary storage of at least some
program code (e.g., program code 414) in order to reduce the number
of times code must be retrieved from bulk storage while
instructions of the program code are carried out. Moreover, similar
to CPU 402, memory 404 may reside at a single physical location,
comprising one or more types of data storage, or be distributed
across a plurality of physical systems in various forms. Further,
memory 404 can include data distributed across, for example, a
local area network (LAN) or a wide area network (WAN).
[0067] I/O interface 406 comprises any system for exchanging
information to or from an external source. I/O devices 410 comprise
any known type of external device, including a display device
(e.g., monitor), keyboard, mouse, printer, speakers, handheld
device, facsimile, etc. Bus 408 provides a communication link
between each of the components in computer system 102, and may
comprise any type of transmission link, including electrical,
optical, wireless, etc.
[0068] I/O interface 406 also allows computer system 102 to store
information (e.g., data or program instructions such as program
code 414) on and retrieve the information from computer data
storage unit 412 or another computer data storage unit (not shown).
Computer data storage unit 412 may comprise any known
computer-readable storage medium, which is described below. For
example, computer data storage unit 412 may be a non-volatile data
storage device, such as a magnetic disk drive (i.e., hard disk
drive) or an optical disc drive (e.g., a CD-ROM drive which
receives a CD-ROM disk).
[0069] Memory 404 and/or storage unit 412 may store computer
program code 414 that includes instructions that are carried out by
CPU 402 via memory 404 to manage a security policy. Although FIG. 4
depicts memory 404 as including program code 414, the present
invention contemplates embodiments in which memory 404 does not
include all of code 414 simultaneously, but instead at one time
includes only a portion of code 414.
[0070] Further, memory 404 may include other systems not shown in
FIG. 4, such as an operating system (e.g., Linux) that runs on CPU
402 and provides control of various components within and/or
connected to computer system 102.
[0071] Storage unit 412 and/or one or more other computer data
storage units (not shown) that are coupled to computer system 102
may store specification sets 106, 108, 110 (see FIG. 1) and
security policy 112 (see FIG. 1).
[0072] As will be appreciated by one skilled in the art, the
present invention may be embodied as a system, method or computer
program product. Accordingly, an aspect of an embodiment of the
present invention may take the form of an entirely hardware aspect,
an entirely software aspect (including firmware, resident software,
micro-code, etc.) or an aspect combining software and hardware
aspects that may all generally be referred to herein as a
"module".
[0073] Furthermore, an embodiment of the present invention may take
the form of a computer program product embodied in one or more
computer-readable medium(s) (e.g., memory 404 and/or computer data
storage unit 412) having computer-readable program code (e.g.,
program code 414) embodied or stored thereon.
[0074] Any combination of one or more computer-readable mediums
(e.g., memory 404 and computer data storage unit 412) may be
utilized. The computer-readable medium may be a computer-readable
signal medium or a computer-readable storage medium. In one
embodiment the computer-readable storage medium is a
computer-readable storage device or computer-readable storage
apparatus. A computer-readable storage medium may be, for example,
but not limited to, an electronic, magnetic, optical,
electromagnetic, infrared or semiconductor system, apparatus,
device or any suitable combination of the foregoing. A
non-exhaustive list of more specific examples of the
computer-readable storage medium includes: an electrical connection
having one or more wires, a portable computer diskette, a hard
disk, a random access memory (RAM), a read-only memory (ROM), an
erasable programmable read-only memory (EPROM or Flash memory), an
optical fiber, a portable compact disc read-only memory (CD-ROM),
an optical storage device, a magnetic storage device, or any
suitable combination of the foregoing. In the context of this
document, a computer-readable storage medium may be a tangible
medium that can contain or store a program (e.g., program 414) for
use by or in connection with a system, apparatus, or device for
carrying out instructions.
[0075] A computer-readable signal medium may include a propagated
data signal with computer-readable program code embodied therein,
for example, in baseband or as part of a carrier wave. Such a
propagated signal may take any of a variety of forms, including,
but not limited to, electromagnetic, optical, or any suitable
combination thereof. A computer-readable signal medium may be any
computer-readable medium that is not a computer-readable storage
medium and that can communicate, propagate, or transport a program
for use by or in connection with a system, apparatus, or device for
carrying out instructions.
[0076] Program code (e.g., program code 414) embodied on a
computer-readable medium may be transmitted using any appropriate
medium, including but not limited to wireless, wireline, optical
fiber cable, RF, etc., or any suitable combination of the
foregoing.
[0077] Computer program code (e.g., program code 414) for carrying
out operations for aspects of the present invention may be written
in any combination of one or more programming languages, including
an object oriented programming language such as Java.RTM.,
Smalltalk, C++ or the like and conventional procedural programming
languages, such as the "C" programming language or similar
programming languages. Instructions of the program code may be
carried out entirely on a user's computer, partly on the user's
computer, as a stand-alone software package, partly on the user's
computer and partly on a remote computer or entirely on the remote
computer or server, where the aforementioned user's computer,
remote computer and server may be, for example, computer system 102
or another computer system (not shown) having components analogous
to the components of computer system 102 included in FIG. 4. In the
latter scenario, the remote computer may be connected to the user's
computer through any type of network (not shown), including a LAN
or a WAN, or the connection may be made to an external computer
(e.g., through the Internet using an Internet Service
Provider).
[0078] Aspects of the present invention are described herein with
reference to flowchart illustrations (e.g., FIG. 2 and FIG. 3)
and/or block diagrams of methods, apparatus (systems) (e.g., FIG. 1
and FIG. 4), and computer program products according to embodiments
of the invention. It will be understood that each block of the
flowchart illustrations and/or block diagrams, and combinations of
blocks in the flowchart illustrations and/or block diagrams, can be
implemented by computer program instructions (e.g., program code
414). These computer program instructions may be provided to one or
more hardware processors (e.g., CPU 402) of a general purpose
computer, special purpose computer, or other programmable data
processing apparatus to produce a machine, such that the
instructions, which are carried out via the processor(s) of the
computer or other programmable data processing apparatus, create
means for implementing the functions/acts specified in the
flowchart and/or block diagram block or blocks.
[0079] These computer program instructions may also be stored in a
computer-readable medium (e.g., memory 404 or computer data storage
unit 412) that can direct a computer (e.g., computer system 102),
other programmable data processing apparatus, or other devices to
function in a particular manner, such that the instructions (e.g.,
program 414) stored in the computer-readable medium produce an
article of manufacture including instructions which implement the
function/act specified in the flowchart and/or block diagram block
or blocks.
[0080] The computer program instructions may also be loaded onto a
computer (e.g., computer system 102), other programmable data
processing apparatus, or other devices to cause a series of
operational steps to be performed on the computer, other
programmable apparatus, or other devices to produce a computer
implemented process such that the instructions (e.g., program 414)
which are carried out on the computer, other programmable
apparatus, or other devices provide processes for implementing the
functions/acts specified in the flowchart and/or block diagram
block or blocks.
[0081] Any of the components of an embodiment of the present
invention can be deployed, managed, serviced, etc. by a service
provider that offers to deploy or integrate computing
infrastructure with respect to managing a security policy. Thus, an
embodiment of the present invention discloses a process for
supporting computer infrastructure, wherein the process comprises
providing at least one support service for at least one of
integrating, hosting, maintaining and deploying computer-readable
code (e.g., program code 414) in a computer system (e.g., computer
system 102) comprising one or more processors (e.g., CPU 402),
wherein the processor(s) carry out instructions contained in the
code causing the computer system to manage a security policy.
[0082] In another embodiment, the invention provides a method that
performs the process steps of the invention on a subscription,
advertising and/or fee basis. That is, a service provider, such as
a Solution Integrator, can offer to create, maintain, support, etc.
a process of managing a security policy. In this case, the service
provider can create, maintain, support, etc. a computer
infrastructure that performs the process steps of the invention for
one or more customers. In return, the service provider can receive
payment from the customer(s) under a subscription and/or fee
agreement, and/or the service provider can receive payment from the
sale of advertising content to one or more third parties.
[0083] The flowcharts in FIG. 2 and FIG. 3 and the block diagrams
in FIG. 1 and FIG. 4 illustrate the architecture, functionality,
and operation of possible implementations of systems, methods, and
computer program products according to various embodiments of the
present invention. In this regard, each block in the flowchart or
block diagrams may represent a module, segment, or portion of code
(e.g., program code 414), which comprises one or more executable
instructions for implementing the specified logical function(s). It
should also be noted that, in some alternative implementations, the
functions noted in the block may occur out of the order noted in
the figures. For example, two blocks shown in succession may, in
fact, be performed substantially concurrently, or the blocks may
sometimes be performed in reverse order, depending upon the
functionality involved. It will also be noted that each block of
the block diagrams and/or flowchart illustrations, and combinations
of blocks in the block diagrams and/or flowchart illustrations, can
be implemented by special purpose hardware-based systems that
perform the specified functions or acts, or combinations of special
purpose hardware and computer instructions.
[0084] While embodiments of the present invention have been
described herein for purposes of illustration, many modifications
and changes will become apparent to those skilled in the art.
Accordingly, the appended claims are intended to encompass all such
modifications and changes as fall within the true spirit and scope
of this invention.
* * * * *